# Cryptographic Failures
Prior known as Sensitive Data Exposure, this security risk deals with the protection and therefore the encryption of data.
A02:2021# Background
# Context
Data is processed by almost every web application. This data is send via the internet and stored in databases on the server of a web application. Data falling under certain regulations (GDPR) like credit cards, health records and other sensitive information needs to be protected.
# Problems
- Usage of weak cryptographic algorithms
- Usage of default keys and apsswords
- Key management
- Configurations of encryption functions
# Solutions
- Usage of framework native functions or libraries
# Technology
Code examples for JavaScript (opens new window) and Java (opens new window) were created.
DANGER
Never implement your own cryptographic functions!
# Node.js
When using Node.js based frameworks, one can choose the native crypto
module.
However, when choosing this module, further configurations are required to align with the requirements of the literature.
TIP
Usage of crypto-js (opens new window) is recommended because of its high Security by Default.
# Spring Boot
Spring Boot is offering native encryption via its Encryptor
and Decryptor
classes. These classes (available as ByteEncryptor
or TextEncryptor
) offer different functions to encrypt data. Both offer one method called standard()
which is not sufficient and a improved version called stronger()
or deluxe()
.
TIP
Use either stronger()
or deluxe()
to encrypt data since it provides OWASP's recommended level of security.